SSP Installation Fails with Controller Nodes Stuck in Provisioned State
search cancel

SSP Installation Fails with Controller Nodes Stuck in Provisioned State

book

Article ID: 423299

calendar_today

Updated On:

Products

VMware vDefend Firewall with Advanced Threat Prevention VMware vDefend Firewall

Issue/Introduction

SSP deployment fails during installation with the following error:

Failed 9/18 tasks: [Create workload cluster]
User requested to stop while waiting for all Kubernetes controller nodes to reach the 'Running' state.
Controller Nodes status: 0/3 running
(e.g., abcdz4001-controller-7hxmc – Provisioned)

The SSP installation does not progress beyond the workload cluster creation stage.

Environment

vDefend Security Services Platform 5.1

Cause

Network communication from the SSP worker nodes to the vCenter Server over TCP port 443 was blocked by firewall rules.

As a result, the Kubernetes controller nodes were unable to successfully communicate with vCenter, preventing them from transitioning to the Running state.

Resolution

Validate network connectivity from the SSP control/worker nodes that are provisioned but not in the Running state to the vCenter Server.

Steps to Validate Connectivity

  1. SSH into the SSP Installer node:

  • Use root for SSP 5.0
  • Use sysadmin for SSP 5.1 and later

  1. Retrieve the list of Kubernetes nodes and their IP addresses:

     
    k get nodes -o wide -A

  2. From the output, copy the External IP address of one of the controller or worker nodes that is stuck in the Provisioned state.

  3. SSH into the selected node:

     
    ssh capv@<external-ip-address>

  4. From the node, test connectivity to the vCenter Server on port 443:

     
    nc -vz <vcenter-domain-name> 443

Expected Output

If connectivity to vCenter is working correctly, the command should return output similar to:

Connection to <vcenter-domain-name> 443 port [tcp/https] succeeded!

 

If the Expected Output Is Not Achieved:

  • If the command times out or fails (for example: connection timed out, connection refused, or no route to host), it indicates that network connectivity to vCenter on port 443 is blocked.

  • Review and update firewall rules to allow outbound connectivity from SSP control and worker nodes to the vCenter Server IP/FQDN on TCP port 443.

  • Ensure the correct vCenter IP or FQDN is permitted in the firewall or security policies.

  • After updating the firewall rules, re-run the nc command to confirm successful connectivity.

  • Once connectivity is verified, retry the SSP deployment. The Kubernetes controller nodes should transition to the Running state and the deployment should complete successfully.

For the complete list of required ports and protocols, refer to:  Ports and Protocols for VMware-vDefend

Powered by Wolken Software